Sophos UTM 9.6 now also offers the long-awaited support for free Let's Encrypt certificates. Although the UTM only supports the ACMEv1 protocol and therefore cannot request wildcard certificates, SAN certificates with up to 100 DNS names can be requested automatically.
Brief overview of Let's Encrypt
Let's Encrypt is a certification authority (CA) that is now recognized as trustworthy by almost every device. Similar to the well-known CAs such as Thwate, Digicert and Comodo, almost all browsers, clients and devices accept certificates from Let's Encrypt and do not display a certificate warning such as "This website is insecure".
In contrast to the certificates of other CAs, Let's Encrypt certificates are free of charge and can be requested and issued almost fully automatically. SAN certificates with several domain and host names in particular can be quite expensive with the "old hands" of the CAs. Although the prices for standard certificates have already fallen significantly, you still pay EUR 129 for a domain-validated SAN certificate with a 2-year term at Thawte. Certificates from other CAs are sometimes even more expensive.
Let's Encrypt also issues domain-validated certificates, but only for a period of 3 months. So if you don't want to manually exchange certificates on web servers and other hosts every 3 months, you need to think about automation. Let's Encrypt offers the ACME protocol (yes, it really is called that) for this purpose. With the appropriate clients, which are available for almost every platform, certificates can be automatically requested and renewed before they expire. The short validity period of 3 months is therefore hardly a problem. Wildcard certificates can even be requested using the ACMEv2 protocol. However, this requires validation via DNS, which makes automation more difficult. Certificates that are requested with the ACMEv1 protocol also support HTTP validation in addition to DNS validation, which is particularly easy to automate.
Let's Encrypt only issues domain-validated certificates, so it is only necessary to prove that the person requesting the certificate has access to the corresponding domain. Extended Validation certificates (green bar in the browser) cannot be requested via Let's Encrypt.
Let's Encrypt currently only offers "web server" certificates, other certificate types such as S/MIME or code signing certificates cannot be requested.
However, Let's Encrypt certificates can be used wonderfully for all types of web services. Before any service is published on the Internet via plain HTTP (mail, extranet, intranet, user portal, etc.), TLS-encrypted communication can also be implemented using Let's Encrypt certificates with little effort and cost.
Sophos UTM 9.6 and Let's Encrypt
Note: As with any other public CA with domain validation, no certificates can be issued with DNS names that cannot be publicly resolved (e.g. utm.frankysweb.local, hostxy.frankysweb.intern, etc.). If the UTM requests a certificate via ACMEv1, Let's Encrypt validates the domains via HTTP. Let's Encrypt must therefore be able to resolve all configured domain names via DNS and reach them via port 80 (http).
Let's Encrypt is very easy to configure on the UTM 9.6. However, as already mentioned, only SAN certificates can be requested. Wildcard certificates cannot be requested due to the lack of ACMEv2 support.
In order for Let's Encrypt certificates to be requested and renewed automatically, the setting "Allow Let's Encrypt certificates" must first be activated:
After Let's Encrypt has been activated, a certificate can now be requested.
A name must be specified for the new certificate and the "Let's Encrypt" method must be selected. The "Interface" item is important in this case; the interface under which the specified domains can be reached via port 80 must be specified here. All specified domains must be resolvable in the DNS and accessible from the Internet via port 80. As a rule, this is therefore an external interface (WAN). If several external WAN interfaces are used, several certificates must also be requested in this case. This may be the case, for example, if the UTM user portal is accessible via WAN IP1 and the web protection via WAN IP2.
All host names that the certificate should contain must now be entered in the "Domains" field:
After the certificate request has been saved, the status can be checked in the new "Let's Encrypt" live log:
The log is also very helpful for troubleshooting, in my case the certificate was issued successfully:
If the certificate has been successfully requested and issued, the certificate is marked with a small green symbol:
Up to this point, the certificate has only been issued, it must now also be assigned to the intended services. The new certificate can now be used for the Admin Portal, for example:
The certificate can of course also be used for all other services, such as email protection:
Here is an example of the use of the certificate and web server protection:
The certificate is valid for 3 months. The UTM automatically replaces the certificate before it expires. It is then no longer necessary to reassign the certificate to the various services. However, I can only say in 3 months whether this will work.
Alternative for wildcard certificates
Let's Encrypt offers clients for almost all operating systems, and with the ACMEv1 protocol and HTTP validation, the certificates can be highly automated.
However, wildcard certificates require the ACMEv2 protocol and therefore also DNS validation. In most cases, however, DNS validation requires some manual effort, as the TXT record for validation must be configured by the domain hoster. As very few hosters provide an API for their DNS servers or support corresponding protocols, the TXT record usually has to be created and updated manually.
The SSLforFree website provides a web interface which requests the certificates via Let's Encrypt and displays the necessary settings for the validation options:
With the SSLforFree website, Let's Encrypt can also be used like any other commercial CA. However, the certificate duration is still 3 months, but with only a few certificates the effort is certainly negligible.